Wednesday, 11 March 2015

When super-regulators fight: the ‘one-stop shop’ in the proposed Data Protection Regulation

Steve Peers

A guilty pleasure for fans of
superhero comic books is the moment when our heroes pause in their valiant
efforts to save the public from the nefarious plans of the supervillains – and start
beating the hell out of each other instead. This is usually triggered by some trivial
difference of opinion, perhaps concerning a continuity error or intellectual
property rights.

Similarly, the EU vests its hopes
for the effective enforcement of data protection law upon national data
protection authorities (DPAs): the superheroes of the data protection world. They
have considerable powers under the current data protection Directive,
and the proposed Regulation would also give them more powers. But what
if they disagree with each other? There’s nothing in the current legislation to
settle this problem, which gives each DPA the power to regulate actions on its
own territory without addressing the obvious complications that result in a
digital age, when many forms of processing of personal data (most obviously via
the Internet) take place across borders.

To deal with this problem, the
Commission proposal contains a conflict rule to determine who is the lead
regulator in cross-border cases, with the possibility that a ‘European Data
Protection Board’ or the Commission itself can issue an opinion on the issue. This
has been dubbed the ‘one-stop shop’ rule. However, due to legal concerns, both
the Council (which is about to adopt its position on this part of the proposed
Regulation: see the draft text here), and the European Parliament (EP),
which has already adopted its position on the entire text, propose
instead that the Board must be able to make binding decisions to settle
disputes.

So this is set to become one of
the most significant innovations of the new legislation. Let’s take a look at
what the future rules will likely say about the role of national DPAs, the
one-stop-shop process and the powers of the Board.

National data protection authorities

The current Directive already
provides for the existence of DPAs, and insists that they must exercise their
powers in ‘complete independence’. CJEU case law (discussed here) has
set out a very strong interpretation of this notion, ruling that Germany,
Austria and Hungary breached it, because they provided for too much
accountability to national parliaments (Germany), failed to separate the DPA
from the ordinary civil service (Austria) and defenestrated the DPA boss before
his normal term of office expired (Hungary).

The proposed Regulation would
retain and elaborate upon this concept, and the Council and EP agree with most
of the Commission’s suggestions. Admittedly, the DPAs have to be appointed by public
authorities in the first place: after all, their powers don’t stem from being bitten
by a radioactive spider, or orphaned in a bat-infested back alley. The Council
would amend the proposal so that they don’t have to be appointed by the
government or parliament, but could instead be appointed by the head of state
or independent body. Only the last alternative would fully ensure their
independence from the outset (although who appoints the ‘independent body’?)

Three points of concern here.
First, the proposal would usefully require the national DPAs to be adequately
funded. That is easier said than done, for most DPAs complain of an absence of sufficient
funding. For instance, the Irish DPA occupies a small office next to a
corner shop – but purports to regulate (among many other things) all of Facebook’s activities in the EU. Secondly, the Council would remove the proposed
rule requiring that DPAs be independent ‘beyond doubt’ when they are appointed;
but DPAs should not be a resting ground for political hacks and bagmen. Thirdly,
the Council would remove most of the details concerning the loss of office of
DPAs, retaining only the minimum rule of four years in office. As the
termination of the Hungarian DPA showed, it’s hard to exercise your powers independently
if you constantly fear that there may be Kryptonite in your coffee.

As for the powers of the DPAs, the
Regulation would strengthen and elaborate upon their current advisory and
enforcement roles. In particular, the current powers to investigate, intervene
and engage in legal proceedings would be fleshed out, by adding powers
concerning audits, access to the premises of the controller and processor,
ordering compliance with a data subject’s request, the suspension of data
flows, or the imposition of fines.

But with these great powers will come
only limited accountability. DPAs will have to publish an annual public report
(and the EP even wants to weaken this obligation). But that’s the only way that
their decisions can be controlled, unless a cross-border complication means that
other DPAs, or the European Data Protection Board (a sort of uber-DPA) gain
jurisdiction, as discussed below. Otherwise, the only bodies which can watch
these watchmen are the courts.

Settling disputes

Although the Commission is often
accused of favouring over-centralisation in the EU, its proposed model for a ‘one-stop-shop’
was highly decentralised. Where a data processor or controller was established
in the EU in more than one Member State, the supervisory authority of the ‘main
establishment’ would have competence to regulate all that controller’s or
processor’s activity in all Member States. There would be new rules on
cooperation between supervisory authorities, in particular as regards mutual
assistance (each DPA would usually have to comply with requests from another
DPA) and joint operations.

In several cases, however, a DPA
would have had to send a draft measure to the European Data Protection Board
for its opinion. In particular, this would
have applied to measures regulating processing concerning ‘offering of goods or
services to data subjects in several Member States, or monitoring of their
behaviour’, or which would ‘substantially affect’ the free movement of data.
Following the Board’s opinion, the Commission could give its opinion, and then
could ultimately adopt a binding measure if necessary. A decision of any
supervisory authority is enforceable in all Member States, except where that
DPA breaches the consultation rules, in which case its decision isn’t valid.

However, the Council and EP both
agree to strip the Commission of all dispute settlement powers, and to confer
binding powers on the Board instead. In the Council’s version, the DPA of the
main establishment or single establishment of the controller or processor would
not be the sole authority, but only
the lead supervisory authority for
transnational processing. Even then, each national supervisory authority would
be competent to deal with an issue which only concerned an establishment in its
State, or ‘substantially affects data subjects only in’ that State, unless the
lead DPA decided to step in.

There’s a complex process for
trying to reach a consensus on a decision between the lead DPA and the other
DPAs involved. But in the event of a dispute between them, as regards the
content of a draft decision, or who is the lead DPA in the first place, or
where the procedures aren’t followed, then the European Data Protection Board can
adopt a binding decision. The Council would
remove the rules on enforceability and unenforceability of DPA decisions, but
the EP wants to strengthen them. In the event of disputes about the Board’s
decisions, the preamble sets out detailed rules on whether litigation would
take place before the national or EU courts.

The European Data Protection Board

It isn’t spelled out in the main
text of the proposed Regulation, but the future Board is clearly a
super-powered version of the current ‘Article 29 working party’, an advisory body
which is (like the future Board) made up of members of the national DPAs. That
working party can give opinions on national data protection law, data
protection in the EU and third countries, the amendment of the Directive and
codes of conduct. It has indeed issued many such opinions, which can be found
on its website. They are interesting documents which fascinate data protection
specialists, but which have not yet had any direct impact on the interpretation
of the law by the CJEU. In the Commission’s proposal, the working party would
be renamed and it would have more advisory powers, but its essential role would
not change.

However, this puny body is about
to be transformed at the behest of the Council and EP, which would both confer
significant powers upon it as regards dispute settlement (discussed above), along
with a longer list of advisory powers. The Council would also take the logical
step of defining the Board as a ‘body’ of the EU, with express legal
personality.

Finally, it should be noted that
the future European Data Protection Board
should not be confused with the current European Data Protection Supervisor (EDPS) – although I suspect
that this warning will be in vain for many years to come. The EDPS is created
by separate legislation, and has the role of enforcing data protection law against
the EU’s institutions and other bodies, as well as advising on the development
of EU data protection law. Its role in the new Regulation will be very limited.
The Commission wants it to have a seat and a deputy chair post on the Board,
but the Council rejects the first suggestion (relegating the EDPS to an observer role instead) and both the Council and the EP reject the
second one. The EDPS will provide the Board’s secretariat, but the Council
wants to build a firewall between the two administrations. In effect, while
both the Board and the EDPS will have a significant role in the EU’s data
protection architecture, there will be almost no crossover between them –
rather like comic books produced by competing publishers.

Conclusion

It is certainly necessary for the
EU to ensure that DPAs have effective powers to ensure the application of data
protection law. Although it will still be possible for individuals to bring
legal action directly against data processors or controllers (under other parts
of the Regulation, which the Council has not yet agreed), DPAs remain the
principal method of enforcing the rules. However, the draft legislation does
not fully address the key practical question of sufficient ensuring resources
for DPAs, and there is also not enough protection against dismissal or for the initial
independence of DPA staff in the Council’s draft position.

As for settlement of disputes,
the Commission’s idea of a lead DPA having full jurisdiction was fairly
attractive, although apparently it was torpedoed by the objections of the Council’s
legal service. The replacement system is comparatively convoluted, and it has
one key weakness – the absence of procedural rights for the original complainant
before the Board. Also, it leaves intact greater possibilities of multiple DPAs
acting as regards the same data processor or controller, with resulting greater
complications for data subjects, DPAs and data processors and controllers
alike. It will probably take some time (and possibly even litigation) before
the new system will be working effectively. Furthermore, the Council’s removal
of the rules about the unenforceability of DPA decisions which are taken in
contravention of the rules could lead to complications in the event of
rebellious DPAs. Finally, the existence of parallel bodies with similar names
(the Board and the EDPS) may be unavoidable, but it unlikely to help public understanding
of the EU’s data protection system.

4 comments:

to me, the core issue (assuming the overall substance will be halfway acceptable) will be the cooperation- and consistency mechanisms: if there are strong rules that can be widely applied to stop single DPAs from interpreting and applying the rules in a weak way, by allowing other DPAs to object to such weak interpretations and applications (at least when the issues affect more than one MS/data subjects in several MSs), with an ultimate central determination by the EDPB, then the regulation will potentially have a great and positive impact, especially in the currently weak states (such as the UK and ireland, but there are others). if on the other hand, the final text reduces the effectiveness of the mechanisms (by limiting objections to "[very very very] serious objections" and by watering down the binding nature of a central determination, through words such as "must take account of" rather than "must act in accordance with"), then as you say steve, we will effectively get a directive dressed up as a regulation. moving the final determination in the consistency mechanism from the EDPB to the Commn would also seriously undermine the mechanism.

i am also worried by the numerous references in the tets to matters being determined by national law. that too is a recipe for divergence, and loopholes.

finally, re the regulation, we must keep an eye on the link with the law enforcement dp directive, and beyond that on the holes through which data covered by the new regulation can seep through to the spooks: i have spotted some danger signs there. in my view the basic approach is straight-forward: the disclosure of any data by any entity covered by one particular instrument is covered by the rules in that instrument; and the obtaining/receiving of data by any entity covered by one particular instrument is covered by the rules in that latter instrument. thus, disclosure of data by companies (search engines, mobile network operators, ISPs, banks, whatever) to law enforcement agencies, or to national security agencies, is covered by the rules on disclosures in the current 1995 dp directive, and in future by the regulation; while the obtaining/demanding/receiving of the same data from those companies by LEAs is covered by the instruments specific to the latter, and shortly by the LEDP Directive, and the obtaining/demanding/receiving of the same data from those companies by NSAs is covered by whatever laws there are that govern their actions (and under the ECHR and CFR a law there ought to be!). similarly, the rules on the disclosure of data by the LEAs to the national security agencies must be in the eu rules governing the LEAs, even if the obtaining etc. of those same data from the LEAs by the NSAs is governed by the relevant laws on NSAs. (this looks convoluted but is really quite simple when you think about it :) ) i saw some signs in the latest council texts on the LEDPD that seem to deviate from this ...

and of course, they'll still need to review the e-privacy directive (and through that, and also because of the CJEU ruling, the DRD). at least someone in the council has now proposed that the regulation will clarify the relation between the e-privacy directive and the regulation (pending review of the e-privacy directive). in my view, that relation should be that the regulation will prevail over anything in the e-privacy directive until the latter is revised. and i feel that rather than revising it to create a new subsidiary instrument, they should replace the e-privacy directive with a new section of chapter in the regulation. but that is for later.

Thanks for your comments, Douwe. As I understand the Council's text, the DPAs in cross-border cases are meant to be working as a team, and the Board will decide in any cases where there is an inability to agree on a common decision. If a large majority of DPAs take a pro-privacy approach that should usually mean a pro-privacy decision of the Board, but are you sure that such a large majority exists?

The CJEU often ignores references to national law, in particular in the context of the current data protection Directive (see ASNEF), so I wonder what effect the more limited references to national law in the future Regulation will actually have in practice.

I will come back to the Directive on law enforcement and data protection when the Council talks on that proposal get anywhere at all.

On e-privacy it would make great sense to follow your suggestion, and have an annex or a separate chapter in the main regulation setting out such specialist rules. I can't imagine there's much chance of this happening though.

However, the EDPS is not an observer in the current architecture of the Art 29 Working party. He is a full member of the Article 29, with voting rights. Therefore it is wrong to state ("relegating the EDPS to its current observer role instead)".